You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docker run wangyihang/githacker --brute --url https://example.com/.git/ --output-folder result
The tool runs around 10 mins
2024-01-06 22:16:15 INFO 1 urls to be exploited
2024-01-06 22:16:15 INFO Exploiting https://example.com/.git/ into result/2c3addf32fa248db42a1ee6cbb5fc923
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
2024-01-06 22:16:15 INFO Downloading basic files...
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
2024-01-06 22:16:16 ERROR FileExistsError(17, 'File exists')
2024-01-06 22:16:16 ERROR [0 bytes] 404 .git/COMMIT_EDITMSG
2024-01-06 22:16:16 INFO [73 bytes] 200 .git/description
2024-01-06 22:16:16 ERROR FileExistsError(17, 'File exists')
2024-01-06 22:16:16 INFO [23 bytes] 200 .git/HEAD
2024-01-06 22:16:16 ERROR FileExistsError(17, 'File exists')
2024-01-06 22:16:16 ERROR [0 bytes] 404 .git/FETCH_HEAD
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
And it stops right here
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
2024-01-06 22:38:05 ERROR FileExistsError(17, 'File exists')
2024-01-06 22:38:05 ERROR [0 bytes] 404 .git/objects/cc/69db0bd9630502abab59915b137914c04db66b
2024-01-06 22:38:05 ERROR FileExistsError(17, 'File exists')
2024-01-06 22:38:05 ERROR [0 bytes] 404 .git/objects/f2/117923e6f8507f0947fe70a2a81aa5e35bf64a
2024-01-06 22:38:05 INFO Running git fsck files...
Traceback (most recent call last):
File "/usr/local/bin/githacker", line 8, in <module>
sys.exit(main())
^^^^^^
File "/usr/local/lib/python3.11/site-packages/GitHacker/__init__.py", line 520, in main
).start()
^^^^^^^
File "/usr/local/lib/python3.11/site-packages/GitHacker/__init__.py", line 93, in start
return self.blind()
^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/GitHacker/__init__.py", line 172, in blind
process = subprocess.run(
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/subprocess.py", line 548, in run
with Popen(*popenargs, **kwargs) as process:
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/subprocess.py", line 1024, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "/usr/local/lib/python3.11/subprocess.py", line 1901, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'git'
root@1bytedemo:~/Desktop/GitHacker# ls
Dockerfile figure GitHacker Makefile README.md requirements.txt setup.py templates test utils
I did not see the directory result. So what's wrong? I confirmed that site got block access to directory ./git, but allow to download files inside such as .git/config, .git/index, ...etc
Attempt 2:
This time I run at local, I did not run from docker. Here is the command at local
2024-01-07 05:59:53 INFO 1 urls to be exploited
2024-01-07 05:59:53 INFO Exploiting https://example.com/.git/ into /root/Desktop/result/2c3addf32fa248db42a1ee6cbb5fc923
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
2024-01-07 05:59:54 INFO Downloading basic files...
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
2024-01-07 05:59:54 ERROR [0 bytes] 404 .git/COMMIT_EDITMSG
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
2024-01-07 05:59:54 ERROR FileExistsError(17, 'File exists')
2024-01-07 05:59:54 INFO [73 bytes] 200 .git/description
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
2024-01-07 05:59:54 ERROR FileExistsError(17, 'File exists')
2024-01-07 05:59:54 ERROR [0 bytes] 404 .git/FETCH_HEAD
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
2024-01-07 05:59:54 ERROR FileExistsError(17, 'File exists')
2024-01-07 05:59:54 INFO [23 bytes] 200 .git/HEAD
/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'example.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
And it stops right here
2024-01-07 06:07:37 WARNING .git/objects/8f/3deef92bbb1d69cea0668e27392ff187210267 does not exist
2024-01-07 06:07:37 WARNING .git/objects/3d/3ae5d49a12dd4a6eb718adb0d4b7d39d3864f1 does not exist
2024-01-07 06:07:37 WARNING .git/objects/c1/5faa5eeecd2922ba2d03ae67aa913b2f300f99 does not exist
2024-01-07 06:07:37 WARNING .git/objects/c7/2e9015ccb53c4947da4b641da2beae894bd3cf does not exist
2024-01-07 06:07:37 WARNING .git/objects/c8/29c1fc0954f2656bf7710a28bede56e8a1f0dc does not exist
2024-01-07 06:07:37 WARNING .git/objects/47/723dc9144cfec31c03717f961926cbf8d10c0d does not exist
2024-01-07 06:07:37 WARNING .git/objects/3d/3b64a5a9b7f99823c7aa50925befa3f62589a8 does not exist
2024-01-07 06:07:37 WARNING .git/objects/2b/74668b32aa5349ed4fcb0b6d678e32f9cd5098 does not exist
2024-01-07 06:07:37 WARNING .git/objects/f6/492632825b6a96aabf4569d951665f3c154ecc does not exist
2024-01-07 06:07:37 WARNING .git/objects/a3/dd1c123791905de8c64ae6d1e845abc126d9e1 does not exist
2024-01-07 06:07:37 WARNING .git/objects/db/9f1a4438b9b73687d554c38b582c4c58053baf does not exist
2024-01-07 06:07:37 WARNING .git/objects/25/ad2609a207ca211ef774d5fba0aa1f5aa2981a does not exist
2024-01-07 06:07:37 WARNING .git/objects/46/05ec9dbc49fbfb1da639f1b0df318b9431be5a does not exist
2024-01-07 06:07:37 WARNING .git/objects/86/5daab6aa70d1f594f4de1eea7fb1d4df14c2ed does not exist
2024-01-07 06:07:37 WARNING .git/objects/38/8f6f03f385c221cc298b66e950d6a00c1d7b54 does not exist
2024-01-07 06:07:37 WARNING .git/objects/2f/a25b968e0f299c755b71401c8c51080f297793 does not exist
2024-01-07 06:07:37 WARNING .git/objects/41/66406dc41aed8f3d4444cf1a6979c7ebc2306f does not exist
2024-01-07 06:07:37 WARNING .git/objects/c4/69cd57ff9630907ef3c461652eff78d3ddee74 does not exist
2024-01-07 06:07:37 INFO Cloning downloaded repo from /tmp/tmpdvdjwn96 to /root/Desktop/result/2c3addf32fa248db42a1ee6cbb5fc923
2024-01-07 06:07:37 ERROR Cloning into '/root/Desktop/result/2c3addf32fa248db42a1ee6cbb5fc923'...
error: refs/heads/master does not point to a valid object!
error: refs/remotes/origin/HEAD does not point to a valid object!
error: refs/remotes/origin/dev-michael does not point to a valid object!
error: refs/remotes/origin/master does not point to a valid object!
error: refs/remotes/origin/staging does not point to a valid object!
done.
fatal: update_ref failed for ref 'HEAD': cannot update ref 'HEAD': trying to write ref 'HEAD' with nonexistent object 180b519b5599fdbfd3f00cf608130d71540eb506
fatal: The remote end hung up unexpectedly
2024-01-07 06:07:37 INFO 0 / 1 were exploited successfully
This time it has the output result directory. But when I check the contents inside the output, it does not show the file in the servers
root@1bytedemo:~/Desktop/result# tree -a
.
└── 2c3addf32fa248db42a1ee6cbb5fc923
└── .git
└── logs
├── HEAD
└── refs
├── heads
│ └── master
└── remotes
└── origin
└── HEAD
7 directories, 3 files
root@1bytedemo:~/Desktop/result#
Does not have config, index, ...etc which can download directly on website
While I test other tools like git-dumper, githack it can shows...
Regards!
The text was updated successfully, but these errors were encountered:
Hi bro,
Attempt 1:
Here is the command that I run
The tool runs around 10 mins
And it stops right here
I did not see the directory
result. So what's wrong? I confirmed that site got block access to directory./git, but allow to download files inside such as.git/config,.git/index, ...etcAttempt 2:
This time I run at local, I did not run from docker. Here is the command at local
And the tool did work, did bruteforce
And it stops right here
This time it has the output
resultdirectory. But when I check the contents inside the output, it does not show the file in the serversDoes not have
config,index, ...etc which can download directly on websiteWhile I test other tools like
git-dumper,githackit can shows...Regards!
The text was updated successfully, but these errors were encountered: